Were the US Navy Ship Collisions the Result of Hacking?

With the recent string of US Navy ship collisions including the USS McCain and Fitzgerald, the mind of a security professional will instantly think of all the possible malicious ways an attacker could target naval systems to cause a vessel to crash. Multiple collisions with similar factors will lead to even more speculation. Although professionals should not claim attribution or causes without facts, I wanted to find out if it was realistic to think that a cyber attack could have caused this incident so I asked a former naval officer some questions.

At Defcon I watched a presentation on Using GPS Spoofing to Control Time. The presenter cited incidents involving GPS jammers and navigation systems showing incorrect locations. In one example, he suggested changing Uber trip details to get a free ride. When I told this to an Uber driver, he said, “That’s not very nice!” Changing the path of a ship in a maritime system could have far greater consequences.

Could Hacking Take Over All Control of a US Navy Ship?

I talked to a friend who is a former Navy Submarine OOD or Officer of the Deck. He said submarines are different, but this incident “makes no sense.” Even if all the electrical and navigational systems failed, there should be human lookouts who manually inspect the surrounding area to clear steer of ships that are not following the rules or are off-course. According to the Navy Lookout Training Handbook, three people should be manning a surface ship in peace time, two in the front with one on each side, and one in the back in non-sailor terms. Crew members should be watching for problems, and navy ships should have enough maneuverability to avoid colliding with an approaching vessel.

In an article by Ars Technica, With the USS McCain collision, even Navy tech can’t overcome human shortcomings, a former Navy officer explains that these watch positions are not easy without experience and training. When he was just starting out, “I was trying to keep track of every fishing boat and merchant ship in my head with well over 40 visual contacts bobbing around us as we steamed east.” He had some issues, at which point a more senior crew member noticed the problem took over. It is clear that training and experience are critical. With proper training, a crew following the rules should have seen the container ship approaching in the case of the USS McCain.

What about steering failure? Could attackers take over the steering such that the crew could not avoid the on-coming vessel? The article mentions steering failure was involved and possibly linked to the integration bridge navigation system (IBNS). If the electronic steering system fails, the ship has a manual hydraulic steering system for the rudder, according to my navy source. If that fails, they should go “red red” on masthead lights, which tells other ships that the navy ship can’t maneuver. Bigger ships should not be on auto-pilot in congested waters and will see the alert and avoid the navy ship. Unfortunately, in this article the Philippines-flagged cargo ship ACX Crystal collided with the USS Fitzgerald and the commercial vessel was on auto-pilot. Even if the Navy ship mast lights were alerting maneuverability failure, the cargo ship would have hit it anyway.

Blame the Humans or Consider Cyber Attacks?

In most cases, it appears that manual efforts and trained sailors can avoid collisions. Many people have suggested that training was the issue. The navy fired crew members. So, at this point should we just blame the humans and move on? Certainly, training is essential. Due to suspected GPS tampering possibilities, sailors are learning ancient celestial navigation techniques. Multiple people should be watching for problems, and manual overrides for electronic systems exist. However, failing to complete a full investigation into the root cause could leave ships vulnerable to cyber attacks.

Is it possible that someone could hack a ship? Two security researchers demonstrated they could remotely hijack digital systems and steer a Jeep off course. Although navy navigational and steering systems are much different and undoubtedly more secure, it is not a far stretch to think that someone might want to try to attack them and steer a ship off course. Thinking about the possibilities can help prevent future incidents. For example, in the book Dark Territory: The Secret History of Cyber War, Fred Kaplan explains how the movie War Games raised the awareness of possible security problems for the president at the time, Ronald Regan. Considering the possibilities led to an investigation of potential security flaws. The investigation uncovered systems very vulnerable to attack and resulted in national defense system improvements.

No one can draw a conclusion as to whether hacking was involved in the USS McCain or Fitzgerald incidents until concrete facts are available. Hopefully sufficient tamper-proof logs and recordings will provide enough evidence. Various headlines have jumped to conclusions on both sides. Whether investigators suspect a cyber attack or not, it is always good to understand attack vectors and to complete a full investigation to rule out the possibility. Even if a cyber attack was not the cause of these incidents, considering the attack vectors will help find and fix problems and prevent future system failure that could lead to dangerous consequences. The above links show that security problems do exist in maritime systems and regardless of the cause of these attacks, cyber-security awareness training is valuable for both military and civilian sailors. — Teri Radichel (@teriradichel)